Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Firefox 40 Begins Warning Users About Unsigned Add-Ons

With Tuesday’s release of Firefox 40, Mozilla has begun the process of requiring all add-ons for the browser to be signed. The company announced the forthcoming change in February, and Firefox 40 is the first version to warn users about unsigned add-ons.

The goal for the change in policy is to protect users from malicious extensions and add-ons, a problem that has arisen in various browsers over the years. Google has taken the approach of only allowing developers to distribute extensions through its Chrome Web Store.

“However, we believe that forcing all installs through our distribution channel is an unnecessary constraint. To keep this balance, we have come up with extension signing, which will give us better oversight on the add-ons ecosystem while not forcing AMO to be the only add-on distribution channel,” Jorge Villalobos of Mozilla said in a blog post in announcing the change in February.

In the next version, Firefox will have an option that allows users to enforce signatures on add-ons, but users will be able to set the preference themselves. But starting with Firefox 42, signatures will be enforced on all add-ons in both the beta and release versions of the browser. Developers will have to get the signatures through Addons.mozilla.org.

“Files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and sent back to the developer. This process should normally take seconds. If the file doesn’t pass review, the developer will have the option to request a manual review, which should take less than two days. This is not the same process that currently applies to AMO add-ons, which has been typically slower,” the Mozilla wiki says.

In addition to the add-on signing, Mozilla also has expanded its warnings about malicious and unwanted software in Firefox 40. Users now will see a special warning dialog when they visit a page that contains unwanted software.

“When downloading a file of a type that usually contains Windows or Mac executable code (for example, .com, .exe, .msi, .app, .dmg) Firefox asks Google’s Safe Browsing service if the file is safe by sending it some of the download’s metadata (file type, name, size, hash, URL, locale). If the file is flagged as harmful by this service, the download manager will block access to the file until the user performs a right-click, and unblocks it manually,” Francois Marier, a security and privacy engineer at Mozilla, said in a blog post.

Discussion

This new Addon signing is infuriating, without warning an update rendered all my Kaspersky extentions unsuable leaving my browser even more vulnerable than what the addon signing is supposed to help prevent.
I really do not want to use Chrome but recent turn of events has helped me change my mind.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.